Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMemory' web shells, along with a recursive HTTP tunnel tool for internal network access. Weaver Ant demonstrated advanced evasion techniques, including ETW patching, AMSI bypassing, and 'PowerShell without PowerShell' execution. The operation involved extensive reconnaissance, credential harvesting, and data exfiltration. Despite eradication attempts, the group showed remarkable persistence, adapting their tactics to regain access.
OPENCTI LABELS :
espionage,lateral movement,evasion,persistence,china chopper,china-nexus,telecom,web shells,tunneling,inmemory web shell
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation